GRC-01: Governance Program Policy and Procedures

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually.

Implementation Guidance

Organizational leadership should govern the program. The program should include—but is not limited to—policies and procedures regarding legal matters, industry-specific regulations, regional requirements, compliance mandates, security and privacy requirements, and information governance. Management of each business area should include the implementation of all applicable governance policies and procedures. Policies and procedures should be reviewed and updated at least annually.

Auditing Guidance

  1. Examine the policy and/or procedures related to information governance programs to determine whether the organization has developed a comprehensive strategy for information governance.
  2. Examine policies and procedures for evidence of review at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.